APIs are the foundation of the Internet. Nearly every modern software application, including the inner workings of that mobile device that never leaves your side, uses—or is—an API. As companies expand digital transformation initiatives, APIs enable development teams to integrate data from external sources and deliver new services and capabilities rapidly, requiring little to no downtime for consumers.
Whether consumers realize it or not, APIs power their connectivity and overall engagement on a daily—if not hourly—basis. Using the Dunkin Donuts app to mobile order your coffee ahead of time? APIs enable this transaction. Searching for the best deals on a flight via a central travel booking site? APIs connect Kayak with American Airlines, Delta, United Airlines and others. Using Facebook, Twitter, LinkedIn or Google username and password to log in to a new app or website? Once again, you can thank APIs.
In short, APIs power the digital experiences of consumers today. It is important to note, however, as API use increases, so do security risks because APIs are easy to deploy but hard to control.
Engagement comes at a price
Organizations often focus primarily on building the next great piece of code to remain competitive in challenging markets, and building in security can seem like a hindrance, or a “nice to have” rather than a necessity. In addition, many lose focus when it comes to sunsetting and deprecating API endpoints. These unused and vulnerable APIs — some are spun up without authorization (“rogue”), others sit in production long after their useful life expires (“zombie”)— can leave organizations with exposed endpoints that attackers can exploit to wreak havoc on consumers and their personal data.
The rapid proliferation of APIs has far surpassed many security teams’ ability to protect these assets. Now, APIs have become the attack vector of choice for threat actors who exploit insecure APIs for malicious purposes. In 2021, APIs were exploited in breaches that impacted Amazon’s Twitch, Facebook, Instagram, LinkedIn, Peloton and T-Mobile, among others.
My team recently conducted the API [In] Security: The Consumer Perspective survey to understand the potential impact of API security, or lack thereof, on the consumer experience. The results pointed to some interesting findings, as well as advice for brands considering how seriously to take their API security.
Insecure APIs equal lost customers
While convenience and ease of use are huge benefits of APIs, consumers, as well as businesses, should consider the associated risk. Consumers are recognizing their risk in greater numbers, and their discontent showed itself in our findings. Consumers broadly reported that if the following PII was stolen from a brand in a breach, they would stop working with that brand altogether:
Banking information (72% reported that loss of this would cause them to leave a brand)
Social Security number (68%)
Credit card number (64%)
Further, 61% of respondents do not feel confident that brands prioritize building security into their APIs and associated applications. When asked if brands prioritize the security of their PII, 64% of respondents reported “no” or “not sure.” These data points exemplify a widely held belief that brands do not have consumers’ best interest in mind when it comes to data security and the products they put on the market.
Additionally, after hearing about a data breach, only 26% of respondents assume that a brand did everything in its power to protect against an attack. And, 74% of respondents reported that they either have “minimal” or “no” influence to encourage brands to take their security more seriously, which may signal a resignation among consumers that data breaches are inevitable.
This data should be a wake-up call for brands. As more and more technological advancements rely on the APIs that support web and mobile applications, the lack of protection felt by consumers, and the predicted increase of data breaches, will likely sow more discontent. In particular, brands that are trusted with consumer data should be relied upon to protect it from threat actors. But there is good news, however.
Will security efforts pay off?
As it turns out, investing in security efforts that protect consumers’ data is a win-win for both the brand and the consumer. Brands would be wise to build security into their applications, which requires both secure development processes and protection solutions in place. 65% of respondents would consider paying more for an application or tech that was marketed as “secure.” Additionally, only 30% of respondents reported that if a mobile, web application or piece of technology they purchased was down once per week for updates they would leave the brand.
So what does this mean? This means that consumers likely won’t face any sticker shock when it comes to products that have additional layers of security that keeps their data safe from threat actors. Additionally, savvy consumers understand the role product updates play in their overall security and protection posture. If your product is one that consumers value, they will put up with the occasional downtime, provided that it gives them the peace of mind that the brand is taking data security seriously.
The data shows that security may actually be a differentiator for brands, rather than a hindrance. Investing more time and money into developing a robust security program could be the difference between a brand-loyal consumer, one that knows their brand of choice has their best interest at heart, and one that will move on to the next application or piece of software after one too many breaches. With APIs in threat actors’ crosshairs in 2022, it is imperative that brands don’t wait until their names are in the news for all the wrong reasons.